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Abstract 

The paper analyzes a new public key cryptosystem whose security is based on a 
matrix version of the discrete logarithm problem over an elliptic curve. 

It is shown that the complexity of solving the underlying problem for the proposed 
system is dominated by the complexity of solving a fixed number of discrete logarithm 
problems in the group of an elliptic curve. Using an adapted Pollard rho algorithm 
it is shown that this problem is essentially as hard as solving one discrete logarithm 
problem in the group of an elliptic curve. 
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1 Introduction 



Public-key cryptography, based on the intractability of the discrete logarithm problem, was 
introduced by Dime and Hellman [Sj. The Diffie-Hellman protocol allows two parties Alice 
and Bob, who are communicating over an insecure channel, to generate a shared secret key 
which is difficult to compute for an eavesdropper. 

The discrete logarithm problem (DLP) over various finite groups has been studied exten- 
sively. In the early days the main example has been the multiplicative group over a finite 
field W q . Odoni, Varadharajan and Sanders ^1] introduced the discrete logarithm problem 
for matrices over ¥ q and a Diffie-Hellman key exchange protocol based on matrices. However, 
Menezes and Wu reduced the discrete logarithm problem for matrices to some discrete 
logarithm problems over small extensions of ¥ q . 

In the late eighties Miller ^Qj arid Koblitz f7] independently proposed to study the DLP 
in the group of F g -rational points of an elliptic curve. This was the start of an active research 
in the area of elliptic curve cryptography (ECC), and its use for implementing public- key 
protocols such as the Diffie-Hellman key agreement. The security of ECC is based on the 
presumed intractability of the discrete logarithm problem over the curve. 

A vast amount of research has been done on the security and efficient implementation 
of ECC. Finite groups based on elliptic curves are very appealing, as the best algorithms 
known to tackle the DLP over an elliptic curve has exponential running time, and this despite 
intensive attempts on this problem. The interested reader may consult the recent book [3]. 

Recently, Climent, Ferrandez, Vicent and Zamora [2] introduced a Diffie-Hellman key 
exchange protocol which used a combination of matrix algebra ideas and adding points on 
an elliptic curve. We will describe this new cryptosystem CFVZ in the next section. The 
main results of this paper will be presented in Section El We will show that CFVZ can be 
reduced to the problem of solving 2rs discrete logarithm problems over an elliptic curve in 
a simultaneous manner. The complexity for doing this is considerably less than solving 2rs 
single discrete logarithm problems over an elliptic curve. 

2 The cryptosystem CFVZ of Climent-Ferrandez-Vicent- 
Z amor a 

Let E be an elliptic curve defined over the finite field ¥ q , and let E(¥ q ) denote the group of 
Fg-rational points of E. Assume that E(¥ q ) is a cyclic group of order n. Denote by Mat r (Z) 
the set of all r x r matrices with integer entries and denote by Mat rxs (E(¥ q )) the set of 
all r x s matrices whose entries are elements of the group E(¥ q ). Let r, s be fixed positive 
integers and consider the set 

: A e Mat r (Z),5 G Mat s (Z), n £ Mat rxs (E(¥ q )) J . 

The set £ is a semigroup with the formal matrix multiplication 
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where 



A$ = [ay^jy = [Qij] with Q i:j = a ik Pkj 



k=l 



and similarly for ILD. 

Without loss of generality we will assume that A and B are matrices defined over Z/nZ. 
If A and B are invertible matrices over the ring Z/nZ then we can consider the subgroup 
generated by the public element 

\a nl 
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Let m > 1 be an integer. A direct computation shows that AV 



A m n r , 



where 



n, 



i=0 



One way of setting up a discrete logarithm problem is: 
"Given the matrices Ai and Ai m , find m." 

As shown in the order of Ai is the least common multiple of the orders of A and B 
and hence the discrete logarithm problem has the character of a discrete logarithm problem 
over the matrix ring. 

A more interesting problem was introduced in we will call this problem the 

CFVZ discrete logarithm problem: given IT, $ G M&t rxs (E(F q )) , find 
m G Z such that $ = IT m (whenever such an m exists). 

Remark 2.1. Notice that if the CFVZ discrete logarithm problem has a solution mo, then 
it has infinitely many solutions in Z. In fact, each element of the coset mo + /Z is a solution, 
if we let / be the order of At. Moreover, it may be U m = U mo even for values of m for which 
M m ^ M mo . 

Notice in addition that the sequence II m is obtained from a recurrence relation, namely 



n, 



An m „! + IXB 



m—l 



In particular, the sequence of the Il m has a period. However it is not true in general that 
Ilj = IX, implies Ilj + i = ELf+i. 

The CFVZ discrete logarithm problem induces a Diffie-Hellman key exchange in the 
following way: 



Alice chooses a private key k and computes 

[Ah 



She takes Ilk as her public key. 
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Bob chooses a private key I and computes 

M l -- 

He takes 11; as his public key. 
Then Alice and Bob consider matrices 



A 1 Ut 
B l 



K 



a n, 

B 



and S 



respectively and compute 
TZ k = 



'A k m 



l)k 
B k 



and S l 



A n fc 

B 



A 1 (n fc ), 

B l 



respectively. 
The shared secret is then by equation ((TJ) 

k /l \ l / k \ 

(n,) fc = ^ A'-^ns* fi J = JZ^- 1 ^ J^-^'n^ = (n fc ) t , 

i=o \«=o / t=o \j=o J 

which both Alice and Bob can readily compute. 

In order to attack the cryptosystem the following Diffie-Hellman problem has to be solved: 

Problem 1. Given the matrix Ai, and the two public keys 11^ and II;, find (n&)j = (Hi)k- 

3 Cryptanalysis of the system 

In this section we analyze the security of the CFVZ Diffie-Hellman key exchange as proposed 
in [2]. We will show that solving the Diffie-Hellman Problem has the same complexity as 
solving an ECDLP on E(F q ) and two linear system of equations in 2rs and r + s — 1 or fewer 
unknowns respectively. 

For the applications, the curve E and the field ¥ q are always chosen so that the group 
E(¥ q ) has prime order. However, here we will analyze the case when the group E(¥ q ) is 
cyclic of order n, since this introduces no extra difficulty. 

3.1 Reduction to a matrix problem 

In a first step we show how to reduce the CFVZ discrete logarithm problem to a problem 
involving matrices defined over Z/nZ only. For this assume that P 6 E(¥ q ) is a generator 
of the cyclic group E(¥ q ). 

Let C = [cij] G Mat rxs (Z/nZ) be a matrix such that 



CP = n where CP={c ij P}. 
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Define the matrix 



and assume 



M 



'A C 
B 



M 



Ck 
B k 



where C k = ^ A^-'CB 1 . 



i=0 



The following lemma is readily verified: 

Lemma 3.1. Let k and I be positive integers and let 



Then 



Ik 



n» 



( ^A l - 1 - i CB i J BK 

j=0 



,i=0 



CfcP and (Ili)fc 



Based on this lemma, Problem ^ is solved if we solve a number of discrete logarithm 
problems over the elliptic curve E(¥ q ), and the following matrix Diffie-Hellman problem: 

Problem 2. Given the matrix M, and the two public keys and Ci, find {Ck)i = (C/)fc- 

In order to solve the CFVZ discrete logarithm problem it is therefore enough to compute 



t := 3rs 



(2) 



discrete logarithm problems over the elliptic curve E(¥ q ) in order to compute matrices Ck, 
Ci and C such that 

11 = CP, U k = C k P, and n, = C,P. 

Thereafter one has to tackle the linear algebra Problem El 

In the remainder of this subsection we show that solving r discrete logarithm problems 
over the elliptic curve E(W q ) with regard to a fixed generator P is considerably less complex 
than solving r individual discrete logarithm problems. We now analyze the complexity of 
solving a fixed number of DLPs in a given cyclic group. We also refer the reader to jHJ for a 
treatment of the same problem. 

For this assume that P\, . . . ,P T are points on the elliptic curve group E{W q ). We would 
like to find integers ni,...,n T such that: 



P 



UiP, 



for 



1 T. 



Using an adapted version of the Pollard rho algorithm we compute points of the form: 

T 

Qj = c^Pi + djP with c^, dj e Z/nZ. 



8=1 
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We repeat this computation until there are more than r equal pairs Qi = Qj and i ^ j. 
This is a generalized birthday problem. Let iy be the random variable having the value 1 if 
Qi = Qj and the value zero otherwise and consider the random variable 



W :-- 



i<j 



We are interested that 



F{W > t] 



1 

> 2 



(3) 



where r is defined by (J2J). As explained in P3 p. 104-107] (compare also with the recent 
survey the random variable W is well approximated by a Poisson random variable. Based 
on this fact, the probability of expression (j3J) can be computed in the following way: 
Assume that a points Qj were computed. Let 



A :-- 



jn. 



(4) 



Then the probability in (jHJ) is approximated by the expression: 



T- 1 



A' 



P(W>r) = l-£- 



i=0 



Already in the early 18'th century de Moivre [HI p. 214] was interested in the maximal 
value t such that F(W > r) > |. Equivalently we can seek the minimal value a such that 
with probability more than 1/2 there will be at least r collisions. 

Viewing the Poisson distribution as the limit of a binomial distribution with expected 
value A given by one readily gets the approximation 



or equivalently 



r< | ^ )/n, 



a/ a{a — 1) > y/2rn. 



The expected number of point additions for the r discrete logarithm problems over E(W q ) is 
therefore 0(\Jrsn). 

Once we have t > r collisions we immediately obtain a system of t linear equations: 



T 



'Pi 




Vl 









vP, 



where T e Mat tXr (Z/nZ) and the vector v G (Z/nZ) T . As soon as T has full rank r, the 
points Pi can all be computed from P through a simple matrix inversion of T. The cost of 
inverting T over 'L/nL requires 0(r 3 ) modular multiplications. 

In order to simultaneously solve the given r discrete logarithm problems, we can also 
follow a different approach. Let d be the determinant of the matrix T £ Mat TXT (Z/nZ) 
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that we obtain after collecting r relations among the given points. Let g = gcd(d, n) be 
the greatest common divisor of d and n, and let m = n/g. Then T has full rank over the 
ring Z/mZ. Hence a simple matrix inversion gives us a\, . . . , a T £ Z/mZ such that = a, 
modulo m for all i = 1, . . . , r. Because of the algorithm of Pohlig and Hellman, for all 
practical purposes we can assume that n is of the form n = Ip, where p is prime and I is 
small. The probability that the determinant d is invertible modulo p is equal to 



\GL T (Z/pZ)\ 
Mat rXr (Z/pZ)| 




Here |GL T (Z/pZ)| denotes the number of invertible matrices of size r x r over Z/pZ, 
| Mat TXr (Z/pZ)| denotes the number of r x r matrices over Z/pZ. Therefore, with high 
probability we can determine the value of n^, . . . , n T modulo p. If I is small, then it is fea- 
sible to compute the r [1/2] points e^P, (a, + p)P, . . . , (a, + ([Z/2] — l)p)P for i = 1, . . . , r, 
where [Z/2] := min{6 £ Z | 26 > /}. Comparing them with Pj and — Pj one can recover the 
value of rii modulo n. 

If r and s are chosen relatively small in comparison to the size n of the elliptic curve, 
then the computation of the matrices Ck, C\ and C is dominated by the task to find at least 
3rs collisions, and this task has an expected complexity of 0(y/rsn) point additions. 



3.2 Solution of the matrix problem 

We are giving the matrix M in block- form, with A £ Mat rxr (Z/nZ), C £ Mat rxs (Z/nZ), 
and B £ Mat sxs (Z/riZ). We are working under the assumption that both A and B are 
invertible. In fact, as we will see in the sequel we do not need this assumption in the analysis 
of the complexity of Problem |21 

We can regard the operation of associating Cj to C as a map 



-,■ : Mat r 



(Z/nZ) 
C 



Mat rxs (Z/nZ) 

a 



The next lemma shows that the map distributes with respect to the sum. 
Lemma 3.2. For any U, V £ Mat r , xs (Z/nZ) we have the identity 

(U + V)i = Ui + Vi for z£N. 

Proof. Let 

M x = 

for X = U, V, U + V. Then X { is defined by 



A X 
B 



(M 



x, 



A 1 X % 
B l 



hence Xj = v4Xj_i + XB % . We prove the thesis by induction on i. If i = 1, then 



(U + V) 1 = U + V = U 1 + V 1 
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and the thesis is readily verified. Assume that (U + V)i_i = Ui-\ + V*_i and prove the 
analogous identity for i. We have 



(U + V)i = A{U + V) i - 1 + (U + V)B 1 - 1 

= AU^ + AVi-x + UB' 1 - 1 + VB 1 - 1 
= Ui + Vi. 



□ 



In the next lemma we prove that applying the map — j commutes with multiplying copies 
of A on the left, and copies of B on the right. In fact, the same is true if we multiply on the 
left by a matrix that commutes with A and on the right by a matrix that commutes with B. 

Lemma 3.3. For any U £ Mat rxs (Z/nZ) and for any j £ N 7 the following identities hold 



(A j U)i = A j U h (UB j )i = UiB j . 



Proof. Let 



then (A^U)i is defined by 



N 



A A j U 
B 



A i 




{A*U)i 
B i 



We prove the thesis by induction on i. If i — 1 then (A^U)i = AW = A>U\, so the thesis 
is true. Assume that {A^U)i-\ = A^Ui-i and prove the analogous identity for i. By direct 
computation, using the induction hypothesis, we obtain 

(A'U)i = A(AW)^ + (AW)B' 1 - 1 
= A(A j U i ^ 1 ) + A j {UB i ~ 1 ) 
= A^AU^ + UB 1 - 1 ) 
= A*Ui. 

We can obtain the second identity by a similar argument. □ 

In the next proposition we show how Problem |21 can be reduced to solving a linear system 
over Z/nZ. 

Proposition 3.4. Consider the linear system 

C k = ai d + ■■■ + 



(5) 



where C\, . . . , C r+S _i, Ck £ Mat rxs (Z/nZ) are known, and ai, . . . , a r+s _i £ Z/nZ are the 
unknowns. The system has (at least) a solution. Any solution of ((3J) determines a homoge- 
neous linear form fk(xi, ■ ■ ■ ,x r + a -i) = a\X\ + • ■ ■ + a r+s -ix r+s -i £ (Z/nZ)[xi, . . . ,x r+s -i] 
such that for all I £ N one has 



\pi)k — fkiph v-'im • • • 5 (Ci) r+s -i). 
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Proof. Let Xm(x) = det(xJ — M) be the characteristic polynomial of M. Since xm(M) = 0, 
then there exist a , . . . , ot r+s -i G ¥ p such that 



r+s-1 



i=0 

Hence by definition 

r+s— 1 r+s— 1 

i=0 i=l 

since Co = 0. Then (ai, . . . , a r+s _i) is a solution of the linear system (J5J), in particular the 
system always has at least a solution. 

Now let (ax, ... , a r+s _i) be a solution of (JHJ). We claim that for all Z G N one has 

r+s— 1 



1=1 



The thesis is trivially verified for I = since Cq = 0. If Z = 1 then (Ci)j = Cj for all i, and 

r+s— 1 



i=l 

since (ai, . . . , a r+s _i) is a solution of (0) by assumption. We proceed by induction on I > 1. 

Assume that the thesis holds for / — 1 and prove it for /. By induction hypothesis we 
have that 

r+s-1 

(Cj-i)fc = «i(Q-i)t- 
i=i 

Since = AG\-\ + CiB 1 ^ 1 , then by Lemmas 13.21 and 13.31 we have the following chain of 
equalities 



r+s— 1 



r+s— 1 



Y a i( C l)i 



i=l 



^(AC^ + dB 1 - 1 ). 

i=l 

+s— 1 r+s— 1 

o i (AC,-i)<+ Yl ^(Ci 5 '" 1 )* 

i=l i=l 
+s— 1 r+s— 1 

]T M(C,-i)< + ]T ^(Ci)^'" 1 



i=l 



i=l 



.4 



r+s — 1 



i=l 



+ 



r+s— 1 



5^ o»(Ci)< 



i=i 



5 



i-i 



A(tf fc )i-i + C^'- 1 
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where the last equality follows from the fact that for each i, j one has (Ci)j = (Cj)i. Moreover, 
by definition one has that 



A(C k )^ + C k B 



1-1 



{Ck)i — {Ci)k- 



This completes the proof. 



□ 



Remarks 3.5. 

• In the proof of Proposition 13. 41 we do not need to make any assumption on the matrices 
A, B. In fact, we only require the existence of a polynomial Xm{%) of degree smaller 
than or equal to r + s — 1, with the property that xm(M) = 0. Such a polynomial 
Xm( x ) always exists, since every square matrix over a finite filed has a minimal and 
characteristic polynomial. In particular, we do not need to assume that A and B are 
invertible. 

• The system (JSJ) may or may not have a unique solution. If the system does not have 
a unique solution, one of its solutions does not necessarily give us enough information 
to recover A k or B h , hence k (solving a DLP in a matrix group). 

• The rank of the system (jSJ), hence the dimension of the family of solutions of the 
system itself, is not relevant towards the goal of solving Problem El In fact, it follows 
from Proposition 1.141 that any solution of (0) enables us to compute (Ci)k from the 
knowledge of C k and C[. In practice, in order to simplify the computations it may be 
useful to choose a sparse solution for the linear system (jSJ) whenever this is possible. 

• A necessary condition for uniqueness of the solution of the system (JHJ) is that M be 
non-derogatory (i.e. Xm{x) is equal to the minimal polynomial of M). 

The next corollary is a straightforward consequence of Proposition 13.41 

Corollary 3.6. With the notation of Section 1 and of Proposition \3~4\ one has 



4 Complexity Analysis 

In this paper we analyzed the complexity of solving the Diffie-Hellman Problem, as arising 
from the Diffie-Hellman key-exchange proposed in j2] . The approach that we suggest in order 
to solve the problem is the following: 

1. Use a modified version of the algorithm rho of Pollard and find matrices C,Ck,Ci G 
Mat rxs (Z/nZ) such that CP = IT, C k P = Tl k , and C L P = IL, 

2. Compute Ci, . . . , C r+S _i, then find one solution (a 1; . . . , a r+s _i) of the linear system 



(n,) fc = / fc (n,,(n,)2,...,(n,)r +8 -i). 




(6) 
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3. Compute {Ci) k = ai(Q)i H h a r+a _.i(Cj) r+a _i. 

4. Compute the secret key (Ui)k = (Cz)fc-P- 

We showed that the complexity of the first step amounts to solving r = 3rs simultaneous 
DLP's in E(F q ) and the expected complexity is O(^rsn). 

The complexity of the second step amounts to the inversion of a (r + s — 1) x (r + s — 1) 
matrix over Z/nZ. When n 3> r, s this complexity is polynomial in logn. Similarly the third 
step is an easy linear algebra task. Finally the fourth step involves a number of costly point 
additions on the elliptic curve. 

When n ^> r,s the complexity of the first step dominates the complexities of the other 
steps. In this case the complexity of solving Problem ^ is at most 0(^/rsn). 

Instead of computing 3rs DPL's it is also possible to only find the matrices C and C k by 
solving Irs DPL's. Like in step 2 one finds (a\, . . . , a r+s _i) satisfying ©. 

Using the recurrence relation one then finds (IL)i, . . . , (II/) r+s _i. From this the secret 
key (ILjfc is readily computed as: 

(Tli) k = ai(II/)i H h a r+s _i(IL.) r+s _i. 

The advantage of this variant of the algorithm is that only 2rs DLP's have to be com- 
puted. The disadvantage is that many more point additions are required in order to compute 
(Hi)k- This variant is however faster in situations when r, s are small in comparison to n. 
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